What would be an appropriate length of time for a session variable
for a hacker who's doing what you described:
If they read in the form page and then submit it using a script for
many days without re-reading the original form it will appear to the
server that they took days to fill.
Would the same hold true for session session variables?
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, February 15, 2013 11:18 PM
To: cf-talk
Subject: RE: Problem with Hackers on Donation form through Authorize.net
If they read in the form page and then submit it using a script for
many days without re-reading the original form, it will appear to the
server that they took days to fill. So testing for more than a few
hours should be good...
sessions might work but they should expire quickly... then if the
session variable is not present you know they took too long.
At 10:04 PM 2/15/2013, you wrote:
You mean, by staying on the page so long that it's an indication
that he's hacking the form or the cfc method that does the processing
instead of doing a normal form submit like typical user would?
And what if the hacker has cookies disabled? And are you suggesting that
a session variable wouldn't be as good as a cookie?
Thanks for the feedback...
Rick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354554
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm